Private Winten - Open Source Windows 10 privacy tool with built in Firewall

Discussion in 'other firewalls' started by DavidXanatos, Dec 23, 2018.

  1. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    269
    Location:
    Canada
    Yes that would be a smart idea, people who take ".zip" over ".exe" expect things to just be portable by default.
     
  2. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,791
    Location:
    Under a bushel ...
    :thumb:
     
  3. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    324
    Location:
    Viena
    New build with many bug fixes and minor improvements

    Note: the zip release now contains a PrivateWin10.ini to make it run in portable mode by default.

    download: https://github.com/DavidXanatos/priv10/releases/tag/v0.71

    [0.71] - 2019-12-16
    Added
    • added side bar button tooltips
    • added cleanup options for DNS inspector
    • added cname host mane display
    Changed
    • when sellecting the "All processes" placeholder entry the detail tabs (except rules) shows data of all processes
    • reduced cpu usage when sorting the program tree
    • improved firewall settign handling
    • changed settings layout
    • reworked app package handling to peoperly operate as a service
    • simple list is now availabel also in "full height" view mode
    Fixed
    • issue with socket associaction resulting in memory leak
    • issues with rule guard enaling/disabling
    • fixed issues when running priv 10 not as admin
    • fixed issue with DNS cache
    • fixed minor issue with process monitor commandline handling
     
  4. korben

    korben Registered Member

    Joined:
    Nov 5, 2009
    Posts:
    866
    Is it your day job or hobby?

    If too personal, no need to answer.

    Well done!
     
  5. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,179
    I'm talking about things like installing a service (priv10) or creating something in the task scheduler and leaving it on the system after closing the app.. Not sure if this stuff got set via the GUI or not. Including the ini in the zip would help . I probably launched the app without the .ini being present. I will try the latest version and see how that goes.
     
    Last edited: Dec 16, 2019
  6. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    324
    Location:
    Viena
    Its not my day job, but I would appreciate some side income resulting from this project.
     
  7. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    324
    Location:
    Viena
    Nest release with more bug fixes and improvements.

    Download: https://github.com/DavidXanatos/priv10/releases/tag/v0.72

    [0.72] - 2019-12-17
    Added
    • German Translation by uDEV2019
    • added option to backup and restore ptiv10 settigns from/to file
    Changed
    • priv 10 ui does nto logner offer to stop the serive when closing from tray but not running as admin
    • when running in portable mode data are not longer stored in the application directory directly
      but in the ".\data" sub directoy, when running in portable mode its needed to manyualy move theconfig files when updating
    Fixed
    • fixed an issue with gul guard setting
    • some englisch spelling corrections by CHEF-KOCH
     
  8. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    480
    Location:
    Lunar module
    Please show a screenshot where the interface displays line 134: lbl_about=About?
    It would be correct to add a time stamp to the backup archive name, like this: PrivateWin10-Data_17-12-2019_16-25-12.zip. Then you can back up several times a day.
    Perhaps you need to include in the backup and the license file, if any.
     
  9. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    324
    Location:
    Viena
    here its used:
    upload_2019-12-18_9-25-6.png

    I will add the date ime to the default file name
     
  10. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    324
    Location:
    Viena
    I have discovered today when installing a new windows server with priv10 that without granting an allow rule for PrivateWin10.exe, not priv10 service the tool couldn't send out UDP packets, not sure why that was.
    And I also noticed that not all sockets of the service were tagged as belonging to that service, I'm not sure why that is since some sockets were properly tagged, I will have to investigate that. Probably its related to some thread context information.
    I also know that on windows 7 it was never enough to grant wuauserv (windows update service) network access it was always necessary to plainly allow svchost.exe to access the internet. I presume because of some sockets wuauserv opened were not properly tagged as belonging to wuauserv :/

    So apparently when creating a service its easy to mess up the tagging of sockets.

    Hence I'm considering for all services that are not hosted in svchost.exe drop the usage of service tag all together and always threat all sockets and create all rules as for the hosting process indiscriminately to its service tag.
    This approach should have no practical drawbacks while making the mechanism much more fail safe.


    EDIT:

    Windows Internals Edition 6

    Chapter 4

    Service Tags
    [...]
    Windows implements a service attribute called the service tag, which the SCM generates by calling
    ScGenerateServiceTag when a service is created or when the service database is generated during
    system boot. The attribute is simply an index identifying the service. The service tag is stored in the
    SubProcessTag field of the thread environment block (TEB) of each thread (see Chapter 5, “Processes
    and Threads,” for more information on the TEB) and is propagated across all threads that a main
    service thread creates (except threads created indirectly by thread-pool APIs).
    Although the service tag is kept internal to the SCM, several Windows utilities, like Netstat.exe
    (a utility you can use for displaying which programs have opened which ports on the network), use
    undocumented APIs to query service tags and map them to service names. Because the TCP/IP stack
    saves the service tag of the threads that create TCP/IP end points, when you run Netstat with the
    –b parameter, Netstat can report the service name for end points created by services.



    Well £uck seams using the thread tag for the firewall is a bit iffy
     
    Last edited: Dec 19, 2019
  11. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    324
    Location:
    Viena
    Yet another bug fix release

    download: https://github.com/DavidXanatos/priv10/releases/tag/v0.73

    [0.73] - 2019-12-19
    Added
    • dns proxy blockist is now saved every 15 minutes
    • added greatly improved search edit box, focus with ctrl+f
    • added "del" keyboard short key to remove selected item
    Changed
    • reworked GPO handling to avoid write lock conflicts on slower machines
    Fixed
    • fixed an issue when clicking the tray icon before the main window was fully loaded
    • fixed access color not changing in program list view
    • fixed crash bug on start as on admin
    • fixed crash bug with app package name resolution
    • fixed issue when upon a change the ribbon controls were not updated acordingly
     
  12. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    324
    Location:
    Viena
    This build introduced a major change in how services are handled!

    Service Tag information is now ignored for all services which are not hosted in svchost.exe, hence all other service firewall rules are now applied as per the service binary path only.
    This change was required as the way windows handles the service TAG information which is set on thread creation is not reliable. Threads created using thread-pool APIs do not get the Service Tag set. Hence network connections created from such worker threads are not attributed properly to the issuing service thus rules created for the service will be ignored.
    To remedy this misbehavior its required to whenever possible create rules for the service binary itself and not set the Service Tag field. Such rules will apply to all sockets of all threads created by the issuing process.
    And since, aside of windows itself, using shared service host process is not really a thing this workaround should have no drawbacks.

    Update Note
    The tool should properly import old configuration data, but it is recommended to make a settings backup before updating.
    And to DISABLE rule guard actions, just in case, to ensure if an issue occurs the firewall configuration does not get messed up.

    Download: https://github.com/DavidXanatos/priv10/releases/tag/v0.74


    [0.74] - 2019-12-21
    Changed
    • changed service tag handling to only apply to svchost.exe hosted services
      • all other services will only be handled as regular programs identifyed by their path
      • the program window now by default always sets the service binary path when a service is selected
    Fixed
    • when opening the program window comboboxes were not properly disabled
    • fixed issue with updating service PID cache
     
  13. Direct

    Direct Registered Member

    Joined:
    Dec 25, 2019
    Posts:
    2
    Location:
    Russia
    I can't figure out how to locate the rule from the right panel (LLMNR UDP-Out for example) to the left panel.
    Not the Name nor the Group are not traceble to the left side list.
    https://i.imgur.com/hmUB3ia.png
     
  14. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    324
    Location:
    Viena
    Normal the rules shown in the right panel, belong to the programs selected in the left panel.
    If nothing is selected it will show all rules.

    You can see in the very right column "Program" of each rule to which program it belongs to.
     
  15. Direct

    Direct Registered Member

    Joined:
    Dec 25, 2019
    Posts:
    2
    Location:
    Russia
    Thanks.

    It looks like some program or service is reverting back or modifies fw rules after system restarting.
    Some goes "Custom Config", some - "Unconfigured".
    priv10 rules are marked orange and disabled in affected "description groups".
    What could be a possible cause of this behavior?

    https://i.imgur.com/apK81PL.png - every line was "Block Access" before restarting.
    https://i.imgur.com/1HjJnEt.png
    Windows 10 Pro x64 in vmware, network temporarily disabled.

    One of the Privacy Log strings:
    Warning 00:00:00 27.12.2019 Firewall RuleDeleted Firewall rule "priv10 - Windows Driver Foundation - User-mode Driver Framework Host Process (wudfhost.exe) - Block All Network" for "Windows Driver Foundation - User-mode Driver Framework Host Process (wudfhost.exe)" was Removed.

    P.S. It seems Rules Guard behaves unexpected. I disabled "Guard Firewall Rules" and my fw rules just stops being disabled/reverted.
     
    Last edited: Dec 27, 2019
  16. RioHN

    RioHN Registered Member

    Joined:
    Mar 14, 2017
    Posts:
    85
    Location:
    Here
    I was wondering how you deal with DNS Client doing the majority of lookups on Windows 7 systems via svchost? Can you still correctly link DNS lookups to original process without disabling the DNS client service?

    I could be mistaken but I think in Windows 8.1 onwards you may be able to find originating PID via ETW, but this functionality isn't available in Windows 7 without disabling the service and it's cache?
     
    Last edited: Dec 30, 2019
  17. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    324
    Location:
    Viena
    Well I'am using ETW only, and imho that should work on windows 7 just fine, I know other ETW events do.
    Havn't explicitly tested the name resolution event provider on win 7 though...
     
  18. RioHN

    RioHN Registered Member

    Joined:
    Mar 14, 2017
    Posts:
    85
    Location:
    Here
    If you have a test system I'd be interested in your results. With DNS Client Service running do you get the PID of svchost only or the actual applications attempting the DNS query?
     
  19. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    324
    Location:
    Viena
    There are two providers one returns only svchost.exe PID
    And an other that returns the PID of the querying process, each time it queries a name even if the name is already cached.
     
  20. RioHN

    RioHN Registered Member

    Joined:
    Mar 14, 2017
    Posts:
    85
    Location:
    Here
    Thanks David. Everything I'm reading indicates Windows 7 logging behaves differently in regards to DNS. Can you confirm you successfully tested this on Windows 7 with DNS Client Service running? If you don't have a test machine it's no problem.
     
  21. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    324
    Location:
    Viena
    I just tested and I can confirm that on a Test VM with Windows 7 SP1 x64 the DNS logging using ETW works just fine.
     
  22. RioHN

    RioHN Registered Member

    Joined:
    Mar 14, 2017
    Posts:
    85
    Location:
    Here
    Well that's good news, thanks for confirming. I'll investigate further with my setup to see what prevents the capture here :thumb:.
     
  23. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    324
    Location:
    Viena
    If you don't get any events at all a reboot helps usually.
    also i noticed that tools like reshaper from JetBrain seam to mess with the ETW as well.
    but such issues always result in no events and not events with less data.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.